From: dtk@all.net
Reply-to: dtk@all.net
Organization: Deception ToolKit Mailing List
Subject: DTK Mailing List 19990410
<pre>---------------------------------------------
Date: Sun, 11 Apr 1999 00:39:32 -0400 (EDT)
From: Lance Spitzner <spitzner@dimension.net>
Subject: Scans and such

On Sat, 10 Apr 1999 dtk@all.net wrote:

> '1999/04/10 16:56:01','Allow','209.142.33.65','root','thttpd','Internet','',''
> '1999/04/10 16:56:17','Allow','209.142.33.65','root','thttpd','Internet','GET /cgi-bin/phf
> '1999/04/10 16:56:25','Allow','209.142.33.65','root','thttpd','Internet','GET /cgi-bin/Count.cgi
> '1999/04/10 16:56:39','Allow','209.142.33.65','root','thttpd','Internet','GET /cgi-bin/test-cgi
> '1999/04/10 16:56:44','Allow','209.142.33.65','root','thttpd','Internet','GET /cgi-bin/php.cgi
> '1999/04/10 16:56:51','Allow','209.142.33.65','root','thttpd','Internet','GET /cgi-bin/handler
> '1999/04/10 16:57:07','Allow','209.142.33.65','root','thttpd','Internet','GET /cgi-bin/webgais
> '1999/04/10 16:57:12','Allow','209.142.33.65','root','thttpd','Internet','GET /cgi-bin/websendmail
> '1999/04/10 16:57:17','Allow','209.142.33.65','root','thttpd','Internet','GET /cgi-bin/webdist.cgi
> '1999/04/10 16:57:24','Allow','209.142.33.65','root','thttpd','Internet','GET /cgi-bin/faxsurvey
> '1999/04/10 16:57:31','Allow','209.142.33.65','root','thttpd','Internet','GET /cgi-bin/htmlscript
> '1999/04/10 16:57:47','Allow','209.142.33.65','root','thttpd','Internet','GET /cgi-bin/pfdisplay.cgi
> '1999/04/10 16:57:52','Allow','209.142.33.65','root','thttpd','Internet','GET /cgi-bin/perl.exe
> '1999/04/10 16:57:57','Allow','209.142.33.65','root','thttpd','Internet','GET /cgi-bin/wwwboard.pl

This cgi exploit scan is the result of sscan by jsbach.  It looks for these by default.
I'm currently writing a paper on how to determine what scanners were used by reviewing
log files and sniff traces.  I have also been tracking scans and posting  the results,
which you will find at:

	[see below for current version] http://www.enteract.com/~lspitz/alert.log.

Lance Spitzner			http://www.enteract.com/~lspitz/papers.html
Internetworking & Security Engineer	Dimension Enterprises Inc
---------------------------------------------
http://www.enteract.com/~lspitz/alert.log as of April 10, 1999
---------------------------------------------
#
# This file is the result of the script alert.sh.
# The purpose of this file is to keep a single entry
# of every system that has scanned this network.  
# 
# Only the first connection/service is logged to this file
# To review every port that was scanned by each Source, review
# the file archive.log
#

Source: 1Cust230.tnt47.chi5.da.uu.net   Date: 13Feb1999         Service: Back_Orifice
Source: 24.93.105.152                   Date: 15Feb1999         Service: login
Source: node3073.neksed.midusa.net      Date: 16Feb1999         Service: pop-3
Source: zanussi.netcraft.co.uk          Date: 19Feb1999         Service: domain-tcp
Source: mdhost.earthdesign.com          Date: 21Feb1999         Service: portmapper
Source: urban.yeungnam.ac.kr            Date: 21Feb1999         Service: portmapper
Source: 207.70.221.13                   Date: 26Feb1999         Service: Back_Orifice
Source: pericles.ucsd.edu               Date: 26Feb1999         Service: portmapper
Source: gregory.mikrus.pw.edu.pl        Date: 28Feb1999         Service: domain-tcp
Source: cr769111-a.wlfdle1.on.wave.home.com     Date: 28Feb1999         Service: portmapper
Source: ltc.cc.u-ryukyu.ac.jp           Date: 28Feb1999         Service: ftp
Source: lab3-gw.as.wm.edu               Date: 13Mar1999         Service: domain-tcp
Source: slip-32-100-190-21.il.us.ibm.net        Date: 15Mar1999         Service: Back_Orifice
Source: spock.peak.org                  Date: 16Mar1999         Service: domain-tcp
Source: CS001-02.wsc.edu                Date: 16Mar1999         Service: domain-tcp
Source: jrcsl.snu.ac.kr                 Date: 18Mar1999         Service: domain-tcp
Source: 1Cust245.tnt48.chi5.da.uu.net   Date: 18Mar1999         Service: Back_Orifice
Source: 1Cust245.tnt48.chi5.da.uu.net   Date: 19Mar1999         Service: Back_Orifice
Source: zanussi.netcraft.co.uk          Date: 19Mar1999         Service: domain-tcp
Source: 1Cust211.tnt48.chi5.da.uu.net   Date: 19Mar1999         Service: Back_Orifice
Source: 199.179.160.74                  Date: 20Mar1999         Service: Back_Orifice
Source: nathan.enteract.com             Date: 20Mar1999         Service: Back_Orifice
Source: 1Cust240.tnt47.chi5.da.uu.net   Date: 20Mar1999         Service: Back_Orifice
Source: cobak.networkstatistics.com     Date: 20Mar1999         Service: domain-tcp
Source: 1Cust240.tnt47.chi5.da.uu.net   Date: 21Mar1999         Service: Back_Orifice
Source: 195.41.182.130                  Date: 21Mar1999         Service: ftp
Source: 128.123.63.59                   Date: 21Mar1999         Service: ftp
Source: a1-3a222.neo.rr.com             Date: 21Mar1999         Service: domain-tcp
Source: pm3-6-22.chi-focal.enteract.com         Date: 24Mar1999         Service: Back_Orifice
Source: eehci01.sogang.ac.kr            Date: 25Mar1999         Service: ftp
Source: 129.15.12.64                    Date: 26Mar1999         Service: domain-tcp
Source: lager.im.uec.ac.jp              Date: 26Mar1999         Service: finger
Source: sonne.checktec.de               Date: 26Mar1999         Service: domain-tcp
Source: beagle.ife.med.uva.es           Date: 27Mar1999         Service: domain-tcp
Source: 153.36.134.209                  Date: 27Mar1999         Service: Back_Orifice
Source: 204.201.85.75                   Date: 27Mar1999         Service: portmapper
Source: 1Cust205.tnt3.chi5.da.uu.net    Date: 28Mar1999         Service: Back_Orifice
Source: 195.58.131.254                  Date: 28Mar1999         Service: domain-tcp
Source: 1Cust169.tnt11.chi5.da.uu.net   Date: 28Mar1999         Service: Back_Orifice
Source: fw1.cybermax.net                Date: 29Mar1999         Service: 7
Source: cx56939-a.vista1.sdca.home.com          Date: 29Mar1999         Service: portmapper
Source: cr785040-a.lndn1.on.wave.home.com       Date: 29Mar1999         Service: ftp
Source: fw.ssc.com                      Date: 29Mar1999         Service: 7
Source: NEW93100143.columbus.rr.com     Date: 30Mar1999         Service: domain-tcp
Source: r191-5-dsl.sea.lightrealm.net   Date: 1Apr1999          Service: portmapper
Source: pdsweb1.pds.com                 Date: 2Apr1999          Service: ftp
Source: m-burg-01.rewiss.fu-berlin.de   Date: 2Apr1999          Service: imap
Source: 207.1.80.2                      Date: 2Apr1999          Service: telnet
Source: c67139-a.htfdc1.ct.home.com     Date: 3Apr1999          Service: telnet
Source: pc433.holmlia.online.no         Date: 3Apr1999          Service: portmapper
Source: 151.196.205.119                 Date: 3Apr1999          Service: imap
Source: dns.abcbank.com                 Date: 3Apr1999          Service: domain-tcp
Source: act181-90.ucsd.edu              Date: 4Apr1999          Service: portmapper
Source: 151.196.205.119                 Date: 4Apr1999          Service: imap
Source: chandi.451sys.net               Date: 4Apr1999          Service: pop-3
Source: 216.46.81.13                    Date: 4Apr1999          Service: imap
Source: balder.netcetera.dk             Date: 4Apr1999          Service: domain-tcp
Source: 207-229-148-40.d.enteract.com   Date: 4Apr1999          Service: Back_Orifice
Source: c67139-a.htfdc1.ct.home.com     Date: 5Apr1999          Service: portmapper
Source: 195.158.65.2                    Date: 5Apr1999          Service: telnet
Source: chandi.451sys.net               Date: 5Apr1999          Service: pop-3
Source: dns3.totalaccess.net            Date: 5Apr1999          Service: imap
Source: eth0.carebear.SNV2.globalcenter.net     Date: 6Apr1999          Service: domain-tcp
Source: chandi.451sys.net               Date: 6Apr1999          Time: 18:35:23  Service: pop-3
Source: c40430-a.frmt1.sfba.home.com    Date: 7Apr1999          Time: 2:00:57   Service: ftp
Source: 203.245.61.11                   Date: 7Apr1999          Time: 3:31:16   Service: ftp
Source: 207.175.4.4                     Date: 7Apr1999          Time: 3:34:57   Service: telnet
Source: beirut.leb.net                  Date: 7Apr1999          Time: 6:49:40   Service: domain-tcp
Source: 209.226.17.29                   Date: 7Apr1999          Time: 12:55:07  Service: ftp

---------------------------------------------